bitrat | 263b305d6a17491a0dd9dd32c5e56536263326e716e0474a132c1d8f8cc0878d

General

Target

Bon de commande.exe
Size

26KB
MD5

00286c04e7817a33d830719ef9afda61
SHA1

3e59b07e3aa255dc4086c9c631d814ac201e9951
SHA256

263b305d6a17491a0dd9dd32c5e56536263326e716e0474a132c1d8f8cc0878d
SHA512

917d83abba42301eabf3e5bdc7450300150925955cc2b6ddb40b28338c2014ec30c234fad245bc19f5d5345f5ad5de55e0a738e7bb9fa96b765117c3410a8612

Score

10^/10

bitrat persistence suricata trojan upx

Malware Config

Extracted

Family

bitrat

Version

1.38

C2

severdops.ddns.net:3071

Attributes

communication_password
29ef52e7563626a96cea7f4b4085c124
tor_process
tor

Signatures

BitRAT
BitRAT is a remote access tool written in C++ and uses leaked source code from other families.
trojan bitrat
suricata: ET MALWARE Observed Malicious SSL Cert (BitRAT CnC)
suricata: ET MALWARE Observed Malicious SSL Cert (BitRAT CnC)
suricata

UPX packed file 3 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral2/memory/1244-121-0x0000000000400000-0x00000000007E4000-memory.dmp	upx
behavioral2/memory/1244-122-0x0000000000400000-0x00000000007E4000-memory.dmp	upx
behavioral2/memory/1244-123-0x0000000000400000-0x00000000007E4000-memory.dmp	upx

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

Bon de commande.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-369956170-74428499-1628131376-1000\Software\Microsoft\Windows\CurrentVersion\Run\Windowexe = "\"C:\\Users\\Admin\\AppData\\Roaming\\Demo\\Windowexe.exe\""	Bon de commande.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 5 IoCs

Processes:

Bon de commande.exe

pid process

1244 Bon de commande.exe
1244 Bon de commande.exe
1244 Bon de commande.exe
1244 Bon de commande.exe
1244 Bon de commande.exe
Suspicious use of SetThreadContext 1 IoCs

Processes:

Bon de commande.exe

description pid process target process

PID 2224 set thread context of 1244 2224 Bon de commande.exe Bon de commande.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

pid	process
1244	Bon de commande.exe
1244	Bon de commande.exe
1244	Bon de commande.exe
1244	Bon de commande.exe
1244	Bon de commande.exe

description	pid	process	target process
PID 2224 set thread context of 1244	2224	Bon de commande.exe	Bon de commande.exe

Runs ping.exe 1 TTPs 12 IoCs

Remote System Discovery

T1018

Processes:

PING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXE

pid	process
2784	PING.EXE
848	PING.EXE
584	PING.EXE
392	PING.EXE
740	PING.EXE
1032	PING.EXE
2136	PING.EXE
1748	PING.EXE
3688	PING.EXE
3728	PING.EXE
2372	PING.EXE
3940	PING.EXE

Suspicious behavior: EnumeratesProcesses 6 IoCs

Processes:

Bon de commande.exe

pid process

2224 Bon de commande.exe
2224 Bon de commande.exe
2224 Bon de commande.exe
2224 Bon de commande.exe
2224 Bon de commande.exe
2224 Bon de commande.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

Bon de commande.exeBon de commande.exe

description pid process

Token: SeDebugPrivilege 2224 Bon de commande.exe
Token: SeShutdownPrivilege 1244 Bon de commande.exe
Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

Bon de commande.exe

pid process

1244 Bon de commande.exe
1244 Bon de commande.exe

pid	process
2224	Bon de commande.exe
2224	Bon de commande.exe
2224	Bon de commande.exe
2224	Bon de commande.exe
2224	Bon de commande.exe
2224	Bon de commande.exe

description	pid	process
Token: SeDebugPrivilege	2224	Bon de commande.exe
Token: SeShutdownPrivilege	1244	Bon de commande.exe

pid	process
1244	Bon de commande.exe
1244	Bon de commande.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

Bon de commande.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.exe

description	pid	process	target process
PID 2224 wrote to memory of 3524	2224	Bon de commande.exe	cmd.exe
PID 2224 wrote to memory of 3524	2224	Bon de commande.exe	cmd.exe
PID 2224 wrote to memory of 3524	2224	Bon de commande.exe	cmd.exe
PID 3524 wrote to memory of 3688	3524	cmd.exe	PING.EXE
PID 3524 wrote to memory of 3688	3524	cmd.exe	PING.EXE
PID 3524 wrote to memory of 3688	3524	cmd.exe	PING.EXE
PID 2224 wrote to memory of 1332	2224	Bon de commande.exe	cmd.exe
PID 2224 wrote to memory of 1332	2224	Bon de commande.exe	cmd.exe
PID 2224 wrote to memory of 1332	2224	Bon de commande.exe	cmd.exe
PID 1332 wrote to memory of 848	1332	cmd.exe	PING.EXE
PID 1332 wrote to memory of 848	1332	cmd.exe	PING.EXE
PID 1332 wrote to memory of 848	1332	cmd.exe	PING.EXE
PID 2224 wrote to memory of 2316	2224	Bon de commande.exe	cmd.exe
PID 2224 wrote to memory of 2316	2224	Bon de commande.exe	cmd.exe
PID 2224 wrote to memory of 2316	2224	Bon de commande.exe	cmd.exe
PID 2316 wrote to memory of 584	2316	cmd.exe	PING.EXE
PID 2316 wrote to memory of 584	2316	cmd.exe	PING.EXE
PID 2316 wrote to memory of 584	2316	cmd.exe	PING.EXE
PID 2224 wrote to memory of 3972	2224	Bon de commande.exe	cmd.exe
PID 2224 wrote to memory of 3972	2224	Bon de commande.exe	cmd.exe
PID 2224 wrote to memory of 3972	2224	Bon de commande.exe	cmd.exe
PID 3972 wrote to memory of 3728	3972	cmd.exe	PING.EXE
PID 3972 wrote to memory of 3728	3972	cmd.exe	PING.EXE
PID 3972 wrote to memory of 3728	3972	cmd.exe	PING.EXE
PID 2224 wrote to memory of 1344	2224	Bon de commande.exe	cmd.exe
PID 2224 wrote to memory of 1344	2224	Bon de commande.exe	cmd.exe
PID 2224 wrote to memory of 1344	2224	Bon de commande.exe	cmd.exe
PID 1344 wrote to memory of 392	1344	cmd.exe	PING.EXE
PID 1344 wrote to memory of 392	1344	cmd.exe	PING.EXE
PID 1344 wrote to memory of 392	1344	cmd.exe	PING.EXE
PID 2224 wrote to memory of 944	2224	Bon de commande.exe	cmd.exe
PID 2224 wrote to memory of 944	2224	Bon de commande.exe	cmd.exe
PID 2224 wrote to memory of 944	2224	Bon de commande.exe	cmd.exe
PID 944 wrote to memory of 740	944	cmd.exe	PING.EXE
PID 944 wrote to memory of 740	944	cmd.exe	PING.EXE
PID 944 wrote to memory of 740	944	cmd.exe	PING.EXE
PID 2224 wrote to memory of 384	2224	Bon de commande.exe	cmd.exe
PID 2224 wrote to memory of 384	2224	Bon de commande.exe	cmd.exe
PID 2224 wrote to memory of 384	2224	Bon de commande.exe	cmd.exe
PID 384 wrote to memory of 2372	384	cmd.exe	PING.EXE
PID 384 wrote to memory of 2372	384	cmd.exe	PING.EXE
PID 384 wrote to memory of 2372	384	cmd.exe	PING.EXE
PID 2224 wrote to memory of 2336	2224	Bon de commande.exe	cmd.exe
PID 2224 wrote to memory of 2336	2224	Bon de commande.exe	cmd.exe
PID 2224 wrote to memory of 2336	2224	Bon de commande.exe	cmd.exe
PID 2336 wrote to memory of 1032	2336	cmd.exe	PING.EXE
PID 2336 wrote to memory of 1032	2336	cmd.exe	PING.EXE
PID 2336 wrote to memory of 1032	2336	cmd.exe	PING.EXE
PID 2224 wrote to memory of 2176	2224	Bon de commande.exe	cmd.exe
PID 2224 wrote to memory of 2176	2224	Bon de commande.exe	cmd.exe
PID 2224 wrote to memory of 2176	2224	Bon de commande.exe	cmd.exe
PID 2176 wrote to memory of 2136	2176	cmd.exe	PING.EXE
PID 2176 wrote to memory of 2136	2176	cmd.exe	PING.EXE
PID 2176 wrote to memory of 2136	2176	cmd.exe	PING.EXE
PID 2224 wrote to memory of 3128	2224	Bon de commande.exe	cmd.exe
PID 2224 wrote to memory of 3128	2224	Bon de commande.exe	cmd.exe
PID 2224 wrote to memory of 3128	2224	Bon de commande.exe	cmd.exe
PID 3128 wrote to memory of 1748	3128	cmd.exe	PING.EXE
PID 3128 wrote to memory of 1748	3128	cmd.exe	PING.EXE
PID 3128 wrote to memory of 1748	3128	cmd.exe	PING.EXE
PID 2224 wrote to memory of 2292	2224	Bon de commande.exe	cmd.exe
PID 2224 wrote to memory of 2292	2224	Bon de commande.exe	cmd.exe
PID 2224 wrote to memory of 2292	2224	Bon de commande.exe	cmd.exe
PID 2292 wrote to memory of 3940	2292	cmd.exe	PING.EXE

C:\Users\Admin\AppData\Local\Temp\Bon de commande.exe
"C:\Users\Admin\AppData\Local\Temp\Bon de commande.exe"
1⤵
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2224

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C ping google.com
2⤵
- Suspicious use of WriteProcessMemory
PID:3524

C:\Windows\SysWOW64\PING.EXE
ping google.com
3⤵
- Runs ping.exe
PID:3688

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C ping facebook.com
2⤵
- Suspicious use of WriteProcessMemory
PID:1332

C:\Windows\SysWOW64\PING.EXE
ping facebook.com
3⤵
- Runs ping.exe
PID:848

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C ping twitter.com
2⤵
- Suspicious use of WriteProcessMemory
PID:2316

C:\Windows\SysWOW64\PING.EXE
ping twitter.com
3⤵
- Runs ping.exe
PID:584

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C ping google.com
2⤵
- Suspicious use of WriteProcessMemory
PID:3972

C:\Windows\SysWOW64\PING.EXE
ping google.com
3⤵
- Runs ping.exe
PID:3728

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C ping facebook.com
2⤵
- Suspicious use of WriteProcessMemory
PID:1344

C:\Windows\SysWOW64\PING.EXE
ping facebook.com
3⤵
- Runs ping.exe
PID:392

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C ping twitter.com
2⤵
- Suspicious use of WriteProcessMemory
PID:944

C:\Windows\SysWOW64\PING.EXE
ping twitter.com
3⤵
- Runs ping.exe
PID:740

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C ping google.com
2⤵
- Suspicious use of WriteProcessMemory
PID:384

C:\Windows\SysWOW64\PING.EXE
ping google.com
3⤵
- Runs ping.exe
PID:2372

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C ping facebook.com
2⤵
- Suspicious use of WriteProcessMemory
PID:2336

C:\Windows\SysWOW64\PING.EXE
ping facebook.com
3⤵
- Runs ping.exe
PID:1032

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C ping twitter.com
2⤵
- Suspicious use of WriteProcessMemory
PID:2176

C:\Windows\SysWOW64\PING.EXE
ping twitter.com
3⤵
- Runs ping.exe
PID:2136

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C ping google.com
2⤵
- Suspicious use of WriteProcessMemory
PID:3128

C:\Windows\SysWOW64\PING.EXE
ping google.com
3⤵
- Runs ping.exe
PID:1748

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C ping facebook.com
2⤵
- Suspicious use of WriteProcessMemory
PID:2292

C:\Windows\SysWOW64\PING.EXE
ping facebook.com
3⤵
- Runs ping.exe
PID:3940

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C ping twitter.com
2⤵
PID:2844

C:\Windows\SysWOW64\PING.EXE
ping twitter.com
3⤵
- Runs ping.exe
PID:2784

C:\Users\Admin\AppData\Local\Temp\Bon de commande.exe
"C:\Users\Admin\AppData\Local\Temp\Bon de commande.exe"
2⤵
PID:2468

C:\Users\Admin\AppData\Local\Temp\Bon de commande.exe
"C:\Users\Admin\AppData\Local\Temp\Bon de commande.exe"
2⤵
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:1244

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Remote System Discovery

1

T1018

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1244-121-0x0000000000400000-0x00000000007E4000-memory.dmp

Filesize
3.9MB

Download
memory/1244-122-0x0000000000400000-0x00000000007E4000-memory.dmp

Filesize
3.9MB

Download
memory/1244-123-0x0000000000400000-0x00000000007E4000-memory.dmp

Filesize
3.9MB

Download
memory/2224-115-0x0000000000410000-0x000000000041C000-memory.dmp

Filesize
48KB

Download
memory/2224-116-0x0000000004D50000-0x0000000004D51000-memory.dmp

Filesize
4KB

Download
memory/2224-117-0x0000000005B30000-0x0000000005CDE000-memory.dmp

Filesize
1.7MB

Download
memory/2224-118-0x0000000006E90000-0x0000000007026000-memory.dmp

Filesize
1.6MB

Download
memory/2224-119-0x0000000007030000-0x000000000707C000-memory.dmp

Filesize
304KB

Download
memory/2224-120-0x0000000005AA0000-0x0000000005B06000-memory.dmp

Filesize
408KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads